04-23-2008 05:44 AM - edited 03-10-2019 04:04 AM
We have an ASA-5510 with an AIP-SSM IPS module. From time to time I need to run a network scanner against assets in the DMZ from the inside network. Of course the IPS is going to block most of the scanners activities. Is there an easy way to temporarily disable the IPS functionality while the scans are running? Either command line or through the ASDM?
Solved! Go to Solution.
04-23-2008 06:52 AM
In addition to the filter idea(s) mentioned elsewhere, the sure fire way to get IPS out of the way is to set its bypass mode to "on" (vice the auto it defaults to). This will cause the IPS software to turn around packets without inspection.
04-23-2008 07:56 AM
This is exactly what you want to stay away from. The purpose of the device is to inspect traffic. So, if you're looking to do this on a continuous basis look into the filter. If you are only going to be doing this one time, Scothrel is right thought, putting it in bypass will basically inert the device.
You can accomplish this by going to "interface configuration," "Bypass," and while there select ON. When you are doing with what ever you're doing, ensure you go back on put the device in Auto or OFF.
04-23-2008 06:26 AM
Why don't you just setup a filter to not block the traffic coming from your scanning system. This would be easy to accomplish and yet leave the security of the network intact.
There have been many conversations regarding this on the forum these past few weeks. Simply go into your IPS and create an "Event Action Filter." Simply modify the source address with that of your scanning system. You can leave the rest pretty much stock or, adjust the destination to the subnet of your DMZ. Also, you'll want to keep an eye on the areas to subtract. Making sure to take away the deny actions, and if necessary, reporting as well.
04-23-2008 06:52 AM
In addition to the filter idea(s) mentioned elsewhere, the sure fire way to get IPS out of the way is to set its bypass mode to "on" (vice the auto it defaults to). This will cause the IPS software to turn around packets without inspection.
04-23-2008 07:56 AM
This is exactly what you want to stay away from. The purpose of the device is to inspect traffic. So, if you're looking to do this on a continuous basis look into the filter. If you are only going to be doing this one time, Scothrel is right thought, putting it in bypass will basically inert the device.
You can accomplish this by going to "interface configuration," "Bypass," and while there select ON. When you are doing with what ever you're doing, ensure you go back on put the device in Auto or OFF.
04-23-2008 09:32 AM
Thanks Chickman,
Exactly the info I was looking for.
I am only going to be scanning the DMZ quarterly at most, so i will probably just bypass. Nice to know the other option exist. Have not had much time to really learn the nuts and bolts of the AIP-SSM since deployment.
04-23-2008 09:34 AM
Thanks for the advice, just what i was looking for..
04-23-2008 09:40 AM
Not a problem, if you come up with other situations, just post your questions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide